<html>
<head><meta charset="utf-8"><title>Impacts of pointer auth on int-ptr transmutes · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html">Impacts of pointer auth on int-ptr transmutes</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="246782804"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246782804" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> riking <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246782804">(Jul 21 2021 at 21:35)</a>:</h4>
<p>I was just reading <a href="https://github.com/rust-lang/rust/issues/286">#286</a> talking about the problems with int-ptr transmutes, and the discussion felt a bit unmotivated, too abstract, and I felt like a concrete hardware example would help clarify motivations.<br>
The ARM 8.3 architecture added support for pointer signing with the PAC\* and AUT\* instructions, and they are nice examples of real-life pointer providence. Why hasn't it been brought up earlier in the discussions?</p>



<a name="246783134"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246783134" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> riking <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246783134">(Jul 21 2021 at 21:39)</a>:</h4>
<p><a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/286#issuecomment-860189806">https://github.com/rust-lang/unsafe-code-guidelines/issues/286#issuecomment-860189806</a><br>
Looking at Ralf's example program here.<br>
A hypothetical compiler could compile this program to PAC protect the stack pointers; let's say that <code>p</code> uses Data-A, <code>q</code> uses Data-B, <code>storage</code> uses Data-A.</p>



<a name="246783327"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246783327" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> riking <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246783327">(Jul 21 2021 at 21:41)</a>:</h4>
<p>The computation of <code>paddr.wrapping_offset(1)</code> successfully stores <code>DataA(p+1)</code> into <code>storage</code>, which cannot equal <code>DataB(q)</code>, so the if statement doesn't execute. But let's just delete the check, say that the two variables _are_ adjacent in this execution, and the hardware would accept a <code>AUTDA DataA(p+1)</code> and end up writing into <code>q</code>.</p>



<a name="246783905"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246783905" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> riking <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246783905">(Jul 21 2021 at 21:46)</a>:</h4>
<p>Inside the <code>if</code>, we successfully write <code>DataB(q)</code> into <code>storage</code>. When we try to access <code>*storage_ptr</code>, that succeeds and reads <code>DataB(q)</code> as a <code>*mut i32</code>. But a <code>*mut i32</code> can't be assumed to be a stack allocation, so we don't know what key to use.<br>
hmm.<br>
I am now wondering whether such a scheme can be successfully compiled on ARM</p>



<a name="246786640"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246786640" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246786640">(Jul 21 2021 at 22:11)</a>:</h4>
<p>The purpose of pointer provenance is not really to map to some hardware feature, but to restrict what memory can be accessed from a pointer in order to allow optimizations</p>



<a name="246786734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246786734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246786734">(Jul 21 2021 at 22:12)</a>:</h4>
<p>AFAIK pointer auth requires special language support even in C, so it might not be possible to use that from today's Rust</p>



<a name="246811958"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246811958" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246811958">(Jul 22 2021 at 06:02)</a>:</h4>
<p>Isn't his special language support only required to be used by a programmer in special cases?</p>



<a name="246811985"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246811985" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246811985">(Jul 22 2021 at 06:03)</a>:</h4>
<p>Most code should just work fine without changing anything AFAIK.</p>



<a name="246812044"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246812044" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246812044">(Jul 22 2021 at 06:04)</a>:</h4>
<p>I think only cases like int-ptr transmutes are where you need to change your code.</p>



<a name="246833563"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246833563" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jonas Schievink  [he/him] <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246833563">(Jul 22 2021 at 11:13)</a>:</h4>
<p>Yeah, that's possible, I haven't looked into the extensions in detail</p>



<a name="246952931"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246952931" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246952931">(Jul 23 2021 at 08:35)</a>:</h4>
<blockquote>
<p>and I felt like a concrete hardware example would help clarify motivations.</p>
</blockquote>
<p>FWIW this issue has nothing at all to do with hardware. The issue is entirely one of compiler optimizations.<br>
The entire discussion around provenance is primarily motivated by "we want to do optimizations that would not be correct in an assembly language". So you will often not find hardware motivations, because hardware is not what motivates us.<br>
(But if there are also hardware motivations that would be interesting.)</p>



<a name="246953004"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246953004" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246953004">(Jul 23 2021 at 08:36)</a>:</h4>
<blockquote>
<p>The ARM 8.3 architecture added support for pointer signing with the PAC\* and AUT\* instructions, and they are nice examples of real-life pointer providence. Why hasn't it been brought up earlier in the discussions?</p>
</blockquote>
<p>Because I have zero knowledge of those ARM features. ;)</p>



<a name="246953289"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246953289" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246953289">(Jul 23 2021 at 08:40)</a>:</h4>
<p>I'm afraid I can't quite follow your example, since I lack the background in ARM "pointer authentication".<br>
How should I read <code>DataA(p+1)</code>, what does that mean?</p>



<a name="246957300"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246957300" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246957300">(Jul 23 2021 at 09:31)</a>:</h4>
<p>With pointer authentication there is an instruction that stores an encrypted version of the address in the pointer to make it much harder for an attacker to craft a pointer. This encrypted version is encrypted using a mix of a global random number and a value given to the encryption instruction. The same value has to be used when decypting. The value can be anything, but generally it is different for function pointers, return addresses and heap pointers. When using <code>(uintptr_t)ptr</code> and <code>(void*)num</code> the compiler will automatically insert the right encryption/decryption instruction. When doing an int&lt;-&gt;ptr transmute, the compiler is likely unable to insert this instruction, which means that actually using the pointer will cause a crash due to pointer authentication failure.</p>



<a name="246957414"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246957414" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246957414">(Jul 23 2021 at 09:33)</a>:</h4>
<blockquote>
<p>The same value has to be used when decypting. </p>
</blockquote>
<p>What happens otherwise?<br>
If the encrypted pointers have the same size as the original pointers, then every input will lead to some decryption, so there's not really a way to know one used the right key...</p>



<a name="246961142"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246961142" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246961142">(Jul 23 2021 at 10:20)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/136281-t-lang.2Fwg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes/near/246957414">said</a>:</p>
<blockquote>
<blockquote>
<p>The same value has to be used when decypting. </p>
</blockquote>
<p>What happens otherwise?<br>
If the encrypted pointers have the same size as the original pointers, then every input will lead to some decryption, so there's not really a way to know one used the right key...</p>
</blockquote>
<p>Presumably, you get garbage out of the decryption, and, if no other verification takes place, it's probably most likely to land in an unallocated page.</p>



<a name="246962050"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246962050" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246962050">(Jul 23 2021 at 10:31)</a>:</h4>
<p>that doesn't  sound very authenticated, it still has all the same UB</p>



<a name="246962468"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts%20of%20pointer%20auth%20on%20int-ptr%20transmutes/near/246962468" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Impacts.20of.20pointer.20auth.20on.20int-ptr.20transmutes.html#246962468">(Jul 23 2021 at 10:37)</a>:</h4>
<p>The difference is that the output is generally unpredictable, so an attacker cannot reliably control the pointers, unless they can also control this global value. Though this, of course, assumes something else isn't going on to actually perform authentication.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>